X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/31006b86a2e9883d8a4c5fe18128821b325773ab..0ba24b411f3a582d7688d591c451f307434a2c3a:/apps/wiki/views.py diff --git a/apps/wiki/views.py b/apps/wiki/views.py index 1b16077f..6a5f2ac5 100644 --- a/apps/wiki/views.py +++ b/apps/wiki/views.py @@ -15,6 +15,7 @@ from django.middleware.gzip import GZipMiddleware from django.utils.decorators import decorator_from_middleware from django.utils.encoding import smart_unicode from django.utils.formats import localize +from django.utils.html import escape from django.utils.translation import ugettext as _ from django.views.decorators.http import require_POST from django.shortcuts import get_object_or_404, render @@ -41,7 +42,7 @@ def get_history(document): revisions.append({ "version": i + 1, "description": revision.description, - "author": revision.author_str(), + "author": escape(revision.author_str()), "date": localize(revision.created_at), "revision": revision.pk, "published": _("Published") + ": " + @@ -54,6 +55,8 @@ def get_history(document): @never_cache def editor(request, pk, template_name='wiki/bootstrap.html'): doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave") text = doc.materialize() @@ -68,7 +71,8 @@ def editor(request, pk, template_name='wiki/bootstrap.html'): 'version': len(history), 'revision': revision.pk, 'stage': doc.stage, - 'assignment': str(doc.assigned_to), + 'stage_name': doc.stage_name(), + 'assignment': doc.assigned_to.username if doc.assigned_to else None, }), 'serialized_templates': json.dumps([ {'id': t.id, 'name': t.name, 'content': t.content} for t in Template.objects.filter(is_partial=True) @@ -86,10 +90,10 @@ def editor(request, pk, template_name='wiki/bootstrap.html'): @decorator_from_middleware(GZipMiddleware) def text(request, doc_id): doc = get_object_or_404(Document, pk=doc_id, deleted=False) - # if not doc.book.accessible(request): - # return HttpResponseForbidden("Not authorized.") if request.method == 'POST': + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave") if form.is_valid(): if request.user.is_authenticated(): @@ -119,11 +123,11 @@ def text(request, doc_id): from traceback import print_exc print_exc() raise - # revision = doc.revision() return JSONResponse({ 'text': None, # doc.materialize() if parent_revision != revision else None, - # 'version': revision, - # 'stage': doc.stage.name if doc.stage else None, + 'version': len(get_history(doc)), + 'stage': doc.stage, + 'stage_name': doc.stage_name(), 'assignment': doc.assigned_to.username if doc.assigned_to else None }) else: @@ -154,6 +158,8 @@ def revert(request, doc_id): form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert") if form.is_valid(): doc = get_object_or_404(Document, pk=doc_id, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") rev = get_object_or_404(Revision, pk=form.cleaned_data['revision']) comment = form.cleaned_data['comment'] @@ -176,8 +182,11 @@ def revert(request, doc_id): ) return JSONResponse({ - # 'document': None, #doc.materialize() if before != doc.revision else None, - # 'version': doc.revision(), + 'document': doc.materialize(), + 'version': len(get_history(doc)), + 'stage': doc.stage, + 'stage_name': doc.stage_name(), + 'assignment': doc.assigned_to.username if doc.assigned_to else None, }) else: return JSONFormInvalid(form)